I tried this at home with a spare Linksys router - it was scarily easy. What made it worse was that the Linksys lets you think you've turned WPS without really doing so. That is, I turned WPS off, ran Reaver, and it still cracked my WPS PIN and WPA2 password in under 3 hours.

In my limited experience, Reaver is easier to use and more successful than cracking WEP with no client attached (which I've been unsuccessful in even though my target router is just in the next room.) And Reaver v1.4 comes with a tool called wash that allows you to scan your local area for WPS enabled routers. There wasn't a single router in my local area with WPS off.

One thing I found though was running Reaver caused a DoS on my primary wi-fi router, even though I'd turned the txpower way down. The significant other was not pleased.

I think that this is the most exciting part about security, well for me anyways. Stuff like this gives people like us a reason to think outside of the box to overcome these security shortcuts. I'm looking forward to trying to find a way to patch this flaw. But even after you shut one door another opens. Nothing is ever stopped, only hindered.

AFAIK, Linksys/Cisco are the only ones that don't actually turn WPS off (while letting you think you did). And they've been really slow in coming out with patches. The other brands (e.g. Netgear) actually do turn it off (confirmed). Another plus is that it takes a pretty strong signal to succeed. I asked my neighbor two houses over to plug in my router and Reaver failed in that case.

The sad fact is less than 10% of the routers in my neighborhood use WPA/2 in the first place. Most use WEP and one or two have no authentication at all. Still, for smaller companies the WPS vulnerability could be exploited and cause serious harm.

I am really surprised this hasn't caught more attention for such a huge vulnerability across the world.

I mean, I have used Reaver when no one was home (got into a neighbors' WiFi with it). Just looked around their router, saw it was an ISP-provided NetGear router.

If I remember correctly, once I got the commands down, it took a matter a minutes to get the WPS key correct, and therefore the WPA2 key. WPA2, yo! That's quite the black eye on such a secure encryption for WiFi, no?

My router is WPS-incapable, being that it runs Tomato; most Linksys-based WRT routers do not implement WPS in any way, shape, or form, so that vulnerability is right out the window for those of us running alternative firmware on Linksys gear.

So far, I've only used it when no one was home, and didn't do anything malicious, like setting new passwords, or changing settings. I just wanted to see how it worked, and if it worked. Surprisingly it did, and quickly.

Wireless is notoriously insecure. Even if there isn't an inherent vulnerability, such as this Reaver attack or WEP, the majority of people will continue to secure their devices poorly. More often than not, you just need to capture the WPA-handshake and have a few decent wordlists. Having a powerful GPU on-hand makes this attacking increasingly trivial.

As always, ensure you have written permission before attacking equipment that isn't yours. Something as innocuous as testing the exploit on your neighbors equipment can unnecessarily land you in hot water.

ajohnson, you are definitely right, but there was only one WiFi network around that might have been vulnerable, and that was the neighbors' network. Like I explained, I did nothing when I got in, just looked to see if it was one of the ones that doesn't turn WPS off, and then logged off.

JTD121 wrote:ajohnson, you are definitely right, but there was only one WiFi network around that might have been vulnerable, and that was the neighbors' network. Like I explained, I did nothing when I got in, just looked to see if it was one of the ones that doesn't turn WPS off, and then logged off.

Unfortunately these days, that's all it takes to land in hot water. That's like saying "The only lock I could try to pick was my neighbors, so I did it, but I didn't go in the house". Your neighbor is still not going to be pleased about it if they find out, even if you were just curious and meant no harm.